Experts at security firm Dr. Web revealed that 39% of all existing Counter-Strike 1.6 game servers online are malicious, an attacker is exploiting zero-day flaws in game clients.
Bad news for gamers of the popular game Counter-Strike, according to the experts at the security firm Dr. Web, 39% of all existing Counter-Strike 1.6 game servers online are malicious.
The game Counter-Strike 1.6 was developed by Valve Corporation in 2000. Roughly 20,000 players are using official Counter-Strike 1.6 clients, while the overall number of game servers registered on Steam is over 5,000.
Threat actors have set-up the servers in the attempt of hacking gamers’ computers worldwide by exploiting zero-day vulnerabilities in the game client.
The owners of many servers raise money from players by selling various privileges, such as access to weapons and protection against bans.
“Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised.” reads the analysis published by Dr.Web. “As it turned out, the developer nicknamed, “
The owner of the malicious server exploits the vulnerabilities in the game client, he infected them with a newly written Trojan dubbed Belonard, that downloads malware to secure the Trojan in the system and spread the device to other players.
Experts at Dr.
The developer ‘
Once infected a gamer’s client, the Belonard Trojan replaces the list of available game servers and create proxies to spread the Trojan.
“Once set up in the system, Trojan
“As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer
The Trojan

Experts noticed that one of the components, Trojan.
Another component, Trojan.
Dr. Web already reported the issues exploited by the attackers to the Valve Corporation, the company also reported malicious domain names used by the developer to the Russian web registrar that quickly suspend them.
“Doctor Web’s analysts took all necessary measures in order to neutralize the
“At the present moment,
|
(